Jan. 17th, 2022 – Final Update to the LastPass Breach
“Parachute manufacturers have a low tolerance for risk, right?” Bradley Gross said to a group discussion CyberHoot was participating in recently relating to the LastPass breach. “That doesn’t stop them from manufacturing parachutes, now does it?” If you go sky diving, you have a second chute as a backup, you train diligently on emergency procedures, and you fold your own chute; you do these things to ensure the best possible chance of success, because failure is, well, deadly. This analogy can be applied to Password Managers. They are your parachute protecting your digital identity. When failures occur, they can be devastating, but you must have your chute.
In the online connected world we live in and on today, you must have and use a Password Manager. However, in a critical failure like the LastPass breach, we have an opportunity to step back and evaluate our criteria for how we choose a password management vendor and how we operate the solution. We must look at the implementation of our chosen password management solution to ensure it is ‘packed correctly’. We need to train for emergency situations like this one (no software ever written is perfect). We need to chose the best manufacturer possible. This blog article outlines CyberHoot’s criteria for choosing a Password Management vendor, which you can leverage for your business or for your Managed Services Provider (MSP).
CyberHoot has decided to migrate to another Password Management (PM) platform. We’ve also agreed to stop recommending specific password manager to others. There are many reasons for this change. We generally listen to cybersecurity gurus like Bruce Sneider, Brad Deflin of TotalDigitalSecurity, and Jeremy Gosney (Yahoo security researcher). They too have recently concluded that the latest LastPass security breach and its communications about it is the last straw, and it’s time to migrate. But who do you choose and how do you choose them?
CyberHoot has learned a lot about PM solutions during this latest event. We have researched the many challenges facing these vendors. They really are comparable to Parachute manufacturers. Therefore, CyberHoot suggests you follow our criteria for choosing your PM tool:
- First and foremost: given the criticality of data contained in your Password Manager, and the fact that most products are cloud-enabled (providing a large body of attackers), and the fact that no software solution ever written was perfect, CyberHoot recommends you find a vendor that conducts multiple 3rd party Application Security Assessments, Penetration Testing, and audits of its platform, architecture and codebase. You want a product that has been independently verified, on an annual basis, by more than one 3rd party (if possible). While this is not a guarantee that all bugs and vulnerabilities have been identified, it’s certainly better than not having them done at all. All other criteria is really of secondary importance.
- Many folks have argued that Cloud-enabled SaaS PM are still viable and important for ease-of-use but there are those that are also stand alone solutions not synchronizing through the cloud (Internet). You will need to make a decision on Cloud synchronized or not.
- A robust Bug-Bounty program is also a very strong indicator that the vendor is serious about finding and eliminating critical risks in their platform. It provides grey hat and white hat hackers the financial incentive to sell their zero-day bugs to the vendor instead of the dark web. You want a PM solution that documents its bug bounty program.
- Features, pricing, and functionality will be your next and final set of criteria to measure by. This is where most vendors are in quite close proximity to one another. The feature sets, functionality (browser plugin, mobile device support, technical support) are somewhat similar with a few differentiating features between vendors. In this area, if you’ve satisfied Choice 1 and choice 2 above, then this is down to preference, ease of use, and your own specific needs. Consider reviewing these three Password Manager reviews from trusted technical advisors:
CONCLUDING THOUGHTS FROM CYBERHOOT:
In looking through the Password Manager reviews performed by ZDNet, Toms Guide, and PC Magazine, we did not find references to the critical criteria of vendors having contracted for independent 3rd party security audits, application security assessments, or penetration testing of a their cloud architecture. Following the parachute analogy one last time, would you choose a Parachute manufacturer that said “trust us” we know what we’re doing, or one that was certified to ISO 9000 manufacturing standards annually by multiple 3rd party audits?
Therefore, CyberHoot went looking for vendor references to these software audit and testing reviews on vendors websites. Below you will find links to PM vendors 3rd-party reviews, audits, assessments and testing. Review these carefully as they are all not equal. Many PM vendors made no mention of this line of testing and auditing on their product or architecture.
Let CyberHoot reiterate, given the LastPass challenges, criteria number 1 above needs to be your basic decision point that must be met before proceeding to criteria 2, 3, and 4 in choosing your password manager.
3RD PARTY AUDITS OF PASSWORD MANAGERS ACCORDING TO THE VENDORS
Keeper 3rd Party Security Audits (search for Audits)
Final Tip: You have a Master Services Agreement in place – right?
MSPs need to provide support for password managers to their clients. When the manufacturer fails, your Master Services Agreement should be in place to protect you from liability. Make sure you have an MSA in place with each of your clients and that provides the appropriate protection for a potential “chute failure” by a software manufacturer. Don’t stop ski diving, just make sure you’re prepared for all the eventualities.